On Mon, Apr 23, 2001 at 04:36:04PM -0700, John Oliver wrote: > Eric Kimminau wrote: > > > > I don't want to hear any of this stuff about "we just register the > > netblock. We don't have anything to do with administering that host", > > whioch is what I have gotten the last 4 reported hack incidents I have > > reported. > My response is: > "You're the only contact I can find. Please forward my report on to > whoever it is that's actually responsible for that host and make sure > that they take heed. If you don't, you'll just keep getting reports > about this, as there's no way for anybody to contact anyone but you". > For the most part, though, they just never respond at all. Ok... This is a minor rant from the other side of this fence. Attitude is EVERYTHING! I control a /16 netblock and I get reports like this. Part of that netblock is handled by an ISP so it's often their customers, and not even them, that are having the problems. My rules... I always try to respond. Sometimes it's not always possible or not appropriate. Most of the time any contacts regarding my /16 are responded to before I do anything else. If I can determine that the address in question is one that the ISP manages, their security department is Cc'ed in on any response and future correspondence. I have NEVER known them to not respond to anything I have forwarded to them for investigation. If there is insufficient information to take any action or follow up investigation, I'll inform the person of what is required and send them the addresses to follow up to. Most initial messages have no logs, no time stamps, no IP addresses, and no ntp trace information to correlate times. I guess people assume that I'm psychic and can guess which of 65,000 addresses they are referring to and when this was all suppose to have happened. If a person makes a respectful request, I'll fall over backwards to try and help them. I'll forward their information to appropriate parties and I'll follow up personally. Occasionally, someone will send me a message basically accusing ME of doing horrible things and threatening me with legal action and demanding who knows what. These go on the BOTTOM of my priority pile and do not get acted on until everything else I have to do is finished (guess when that is). I have yet to ever hear back from any of them. (OK. Small sample there. Maybe a half dozen over the last two years.) (BTW... If I am threatened with "legal action" there are legal reasons why I should not respond directly. By threatening someone with legal action, their responses could be used against them in a legal proceeding, so the prudent legal course of action is to ignore such threats and NOT respond to them... Legal threats from a lawyer would get referred to my lawyer and even LESS would then get done. Consider that, if you think that making threats will get a faster response.) Contrary to popular believe in some quarters, a port scan is NOT a capital offense. It will get investigated and it does often correspond to other illegal activity, but it, in and of itself, is not grounds for homicide. /;-/ Please restrain those requests. I will investigate port scanning activity (which is not illegal, so says the judge down here in Georgia, where I live) and the ISP may terminate a customer for violating their AUP, but let us do our jobs and make that judgement. Ask that we look into something and we will. Provide us with evidence and we will run it to ground. If there is something legally actionable, appropriate legal authorities will be notified. My logs contributed to action against an individual who was also attempting to break into NASA years ago. Make outrageous demands with no evidence and act like an asshole and, yes, you will get ignored. Lots of times people mix terminology horribly. They claim it's from my "domain" or my "system" when they are referring to some address anywhere in the entire net block. It helps if people at least try to act like they know what their talking about and take a stab at understanding the language they are using. I do not expect people to be psychic and know how these addresses are allocated. I do expect that people wanting my assistance should understand that they are asking me to do something for them and, that by asking politely, I'm more that willing to help out if I can. I do expect some reasonable information up front (maybe not the first message but certainly on request) and I expect people to do their homework as well (ntp traces or something equivalent so times can be correlated). I'll help if I get cooperation and courtesy. There's not much I can do, if I don't. The guys at the ISP are also equally cooperative and equally concerned about security. But we don't respond well to threats and we can't help without information and cooperation from the person making the request. Make no mistake about it. Curtesy gets responses. Acting like an asshole to us, no matter what the perpetrator has done and no matter how furious you are, will NEVER get a faster response than simply asking. It can get you ignored. I know of no-one who is going to respond faster to threats or flames than to a courteous request. It's the best shot you've got. Anything else is worse. All that being said... I've also had good and bad experiences in contacting other network administrators. It's been those experiences which has taught me how to treat others. I have found that I get the best responses when I treat that other administrator as a peer who is just as interested in the professional operation of the network as I am. Approach him with assistance and you are more likely to receive assistance in return. Remember to, that when we finally drill down to the true origin of the problem, it may turn out to be someone who has been compromised and is in need of our assistance. We may never be able to determine "the guilty party" and may end up having to be satisfied at helping a customer or a friend clean up a mess he didn't deserve. There will generally be real good, real legal, reasons why we can not provide you with more information on what actions we did or did not take. So... Before you send that flame to some POC demanding his head, read it yourself, again, preferably after cooling down a bit. Ask yourself this... If you were receiving this message, how would you react? If it would piss you off about the asshole that sent it, then don't send it, rewrite it. You still might get ignored. Some of the netblock POC information is woefully out of date and inaccurate. Some of the networks ARE run by assholes. But nothing you or I can do will improve on those situations. The ones you should be concerned about are the ones run by people who do care and do take offense when someone sends them a clueless tirade. My $0.02. > -- > John Oliver, System Administrator http://www.allegiancetele.com > ConnectNet, an Allegiance Telecom company http://www.connectnet.com > 6370 Lusk Blvd. Ste F103 (858) 638-2020 > San Diego, CA. 92121 FAX: (858) 623-1505 Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 09:09:11 PDT